Resolved Bugs
1126712 – CVE-2014-8242 librsync: MD4 collision file corruption
1126719 – librsync: rsync: checksum collisions leading to a denial of service [epel-all]<br
Changes in librsync 1.0.0 (2015-01-23)
======================================
* SECURITY: CVE-2014-8242: librsync previously used a truncated MD4 “strong” check sum to match blocks. However, MD4 is not cryptographically strong. It’s possible that an attacker who can control the contents of one part of a file could use it to control other regions of the file, if it’s transferred using librsync/rdiff. For example this might occur in a database, mailbox, or VM image containing some attacker-controlled data. To mitigate this issue, signatures will by default be computed with a 256-bit BLAKE2 hash. Old versions of librsync will complain about a bad magic number when given these signature files. Backward compatibility can be obtained using the new `rdiff sig –hash=md4` option or through specifying the “signature magic” in the API, but this should not be used when either the old or new file contain untrusted data. Deltas generated from those signatures will also use BLAKE2 during generation, but produce output that can be read by old versions. See https://github.com/librsync/librsync/issues/5. Thanks to Michael Samuel for reporting this and offering an initial patch.
* Various build fixes, thanks Timothy Gu.
* Improved rdiff man page from Debian.
* Improved librsync.spec file for building RPMs.
* Fixed bug #1110812 ‘internal error: job made no progress’; on large files.
* Moved hosting to https://github.com/librsync/librsync/
* Travis-CI.org integration test at https://travis-ci.org/librsync/librsync/
* Remove bundled copy of popt; it must be installed separately.
* You can set `$LIBTOOLIZE` before running `autogen.sh`, for example on OS X Homebrew where it is called `glibtoolize`.

Resolved Bugs
1197822 – CVE-2015-2172 dokuwiki: privilege escalation in RPC API
1064524 – Wrong SELinux type in dokuwiki-selinux package
1150134 – dokuwiki: various security flaws [epel-all]
1174333 – CVE-2014-9253 dokuwiki: XSS via SFW file upload [epel-6]
1061477 – wiki:syntax page requires php-xml to render
1150133 – dokuwiki: various security flaws [fedora-all]
1174331 – CVE-2014-9253 dokuwiki: XSS via SFW file upload [fedora-all]
1161816 – dokuwiki is 5 months out of date, 2 versions and 3 hotfixes behind
1174332 – CVE-2014-9253 dokuwiki: XSS via SFW file upload [epel-5]
1101095 – New release available – 2014-05-05 “Ponder Stibbons”
1164396 – dokuwiki requires apache
1166099 – CVE-2012-6662 dokuwiki: jquery-ui: XSS vulnerability in default content in Tooltip widget [fedora-all]
1164394 – Add dokuwiki to epel7<br
This update fixes CVE-2015-2172
* There’s a security hole in the ACL plugins remote API component. The plugin failes to check for superuser permissions before executing ACL addition or deletion. This means everybody with permissions to call the XMLRPC API also has permissions to set up their own ACL rules and thus circumventing any existing rules.
Update to the 2014-09-29b release which contains various fixes, notably:
Security:
* CVE-2014-9253 – XSS via SFW file upload
* CVE-2012-6662 – jquery-ui XSS vulnerability
Bugfixes:
* dokuwiki requires php-xml (RHBZ#1061477)
* wrong SELinux file context for writable files/directories (RHBZ#1064524)
* drop httpd requirement (RHBZ#1164396)
Update to the 2014-09-29b release which contains various fixes, notably:
Security:
* CVE-2014-9253 – XSS via SFW file upload
* CVE-2012-6662 – jquery-ui XSS vulnerability
Bugfixes:
* dokuwiki requires php-xml (RHBZ#1061477)
* wrong SELinux file context for writable files/directories (RHBZ#1064524)
* drop httpd requirement (RHBZ#1164396)
Update to the 2014-09-29b release which contains various fixes, notably:
Security:
* CVE-2014-9253 – XSS via SFW file upload
* CVE-2012-6662 – jquery-ui XSS vulnerability
Bugfixes:
* dokuwiki requires php-xml (RHBZ#1061477)
* wrong SELinux file context for writable files/directories (RHBZ#1064524)
* drop httpd requirement (RHBZ#1164396)
Update to the 2014-09-29b release which contains various fixes, notably:
Security:
* CVE-2014-9253 – XSS via SFW file upload
* CVE-2012-6662 – jquery-ui XSS vulnerability
Bugfixes:
* dokuwiki requires php-xml (RHBZ#1061477)
* wrong SELinux file context for writable files/directories (RHBZ#1064524)
* drop httpd requirement (RHBZ#1164396)
This update adds dokuwiki package to EPEL7

Resolved Bugs
1126712 – CVE-2014-8242 librsync: MD4 collision file corruption
1126719 – librsync: rsync: checksum collisions leading to a denial of service [epel-all]<br
Changes in librsync 1.0.0 (2015-01-23)
======================================
* SECURITY: CVE-2014-8242: librsync previously used a truncated MD4 “strong” check sum to match blocks. However, MD4 is not cryptographically strong. It’s possible that an attacker who can control the contents of one part of a file could use it to control other regions of the file, if it’s transferred using librsync/rdiff. For example this might occur in a database, mailbox, or VM image containing some attacker-controlled data. To mitigate this issue, signatures will by default be computed with a 256-bit BLAKE2 hash. Old versions of librsync will complain about a bad magic number when given these signature files. Backward compatibility can be obtained using the new `rdiff sig –hash=md4` option or through specifying the “signature magic” in the API, but this should not be used when either the old or new file contain untrusted data. Deltas generated from those signatures will also use BLAKE2 during generation, but produce output that can be read by old versions. See https://github.com/librsync/librsync/issues/5. Thanks to Michael Samuel for reporting this and offering an initial patch.
* Various build fixes, thanks Timothy Gu.
* Improved rdiff man page from Debian.
* Improved librsync.spec file for building RPMs.
* Fixed bug #1110812 ‘internal error: job made no progress’; on large files.
* Moved hosting to https://github.com/librsync/librsync/
* Travis-CI.org integration test at https://travis-ci.org/librsync/librsync/
* Remove bundled copy of popt; it must be installed separately.
* You can set `$LIBTOOLIZE` before running `autogen.sh`, for example on OS X Homebrew where it is called `glibtoolize`.

Resolved Bugs
1197822 – CVE-2015-2172 dokuwiki: privilege escalation in RPC API
1064524 – Wrong SELinux type in dokuwiki-selinux package
1150134 – dokuwiki: various security flaws [epel-all]
1174333 – CVE-2014-9253 dokuwiki: XSS via SFW file upload [epel-6]
1061477 – wiki:syntax page requires php-xml to render
1150133 – dokuwiki: various security flaws [fedora-all]
1174331 – CVE-2014-9253 dokuwiki: XSS via SFW file upload [fedora-all]
1161816 – dokuwiki is 5 months out of date, 2 versions and 3 hotfixes behind
1174332 – CVE-2014-9253 dokuwiki: XSS via SFW file upload [epel-5]
1101095 – New release available – 2014-05-05 “Ponder Stibbons”
1164396 – dokuwiki requires apache
1166099 – CVE-2012-6662 dokuwiki: jquery-ui: XSS vulnerability in default content in Tooltip widget [fedora-all]
1164394 – Add dokuwiki to epel7<br
This update fixes CVE-2015-2172
* There’s a security hole in the ACL plugins remote API component. The plugin failes to check for superuser permissions before executing ACL addition or deletion. This means everybody with permissions to call the XMLRPC API also has permissions to set up their own ACL rules and thus circumventing any existing rules.
Update to the 2014-09-29b release which contains various fixes, notably:
Security:
* CVE-2014-9253 – XSS via SFW file upload
* CVE-2012-6662 – jquery-ui XSS vulnerability
Bugfixes:
* dokuwiki requires php-xml (RHBZ#1061477)
* wrong SELinux file context for writable files/directories (RHBZ#1064524)
* drop httpd requirement (RHBZ#1164396)
Update to the 2014-09-29b release which contains various fixes, notably:
Security:
* CVE-2014-9253 – XSS via SFW file upload
* CVE-2012-6662 – jquery-ui XSS vulnerability
Bugfixes:
* dokuwiki requires php-xml (RHBZ#1061477)
* wrong SELinux file context for writable files/directories (RHBZ#1064524)
* drop httpd requirement (RHBZ#1164396)
Update to the 2014-09-29b release which contains various fixes, notably:
Security:
* CVE-2014-9253 – XSS via SFW file upload
* CVE-2012-6662 – jquery-ui XSS vulnerability
Bugfixes:
* dokuwiki requires php-xml (RHBZ#1061477)
* wrong SELinux file context for writable files/directories (RHBZ#1064524)
* drop httpd requirement (RHBZ#1164396)
Update to the 2014-09-29b release which contains various fixes, notably:
Security:
* CVE-2014-9253 – XSS via SFW file upload
* CVE-2012-6662 – jquery-ui XSS vulnerability
Bugfixes:
* dokuwiki requires php-xml (RHBZ#1061477)
* wrong SELinux file context for writable files/directories (RHBZ#1064524)
* drop httpd requirement (RHBZ#1164396)
This update adds dokuwiki package to EPEL7

Resolved Bugs
1196154 – libmspack: various flaws [fedora-all]
1196153 – libmspack: off-by-one(?) buffer under-read in mspack/lzxd.c
1196157 – libmspack: off-by-one buffer over-read in mspack/mszipd.c
1180177 – libmspack: pointer arithmetic overflow during CHM decompression
1180180 – libmspack: pointer arithmetic overflow during CHM decompression [fedora-all]
1180175 – libmspack: denial of service while processing crafted CHM file (floating point exception)
1180178 – libmspack: denial of service while processing crafted CHM file (floating point exception) [fedora-all]
1178867 – CVE-2014-9556 libmspack: buffer overflow causing denial of service in qtmd_decompress()
1179822 – CVE-2014-9556 libmspack: buffer overflow causing denial of service in qtmd_decompress() [fedora-all]<br
updated to bugfix release 0.5alpha

Resolved Bugs
1197822 – CVE-2015-2172 dokuwiki: privilege escalation in RPC API
1064524 – Wrong SELinux type in dokuwiki-selinux package
1150134 – dokuwiki: various security flaws [epel-all]
1174333 – CVE-2014-9253 dokuwiki: XSS via SFW file upload [epel-6]
1061477 – wiki:syntax page requires php-xml to render
1150133 – dokuwiki: various security flaws [fedora-all]
1174331 – CVE-2014-9253 dokuwiki: XSS via SFW file upload [fedora-all]
1161816 – dokuwiki is 5 months out of date, 2 versions and 3 hotfixes behind
1174332 – CVE-2014-9253 dokuwiki: XSS via SFW file upload [epel-5]
1101095 – New release available – 2014-05-05 “Ponder Stibbons”
1164396 – dokuwiki requires apache
1166099 – CVE-2012-6662 dokuwiki: jquery-ui: XSS vulnerability in default content in Tooltip widget [fedora-all]
1164394 – Add dokuwiki to epel7<br
This update fixes CVE-2015-2172
* There’s a security hole in the ACL plugins remote API component. The plugin failes to check for superuser permissions before executing ACL addition or deletion. This means everybody with permissions to call the XMLRPC API also has permissions to set up their own ACL rules and thus circumventing any existing rules.
Update to the 2014-09-29b release which contains various fixes, notably:
Security:
* CVE-2014-9253 – XSS via SFW file upload
* CVE-2012-6662 – jquery-ui XSS vulnerability
Bugfixes:
* dokuwiki requires php-xml (RHBZ#1061477)
* wrong SELinux file context for writable files/directories (RHBZ#1064524)
* drop httpd requirement (RHBZ#1164396)
Update to the 2014-09-29b release which contains various fixes, notably:
Security:
* CVE-2014-9253 – XSS via SFW file upload
* CVE-2012-6662 – jquery-ui XSS vulnerability
Bugfixes:
* dokuwiki requires php-xml (RHBZ#1061477)
* wrong SELinux file context for writable files/directories (RHBZ#1064524)
* drop httpd requirement (RHBZ#1164396)
Update to the 2014-09-29b release which contains various fixes, notably:
Security:
* CVE-2014-9253 – XSS via SFW file upload
* CVE-2012-6662 – jquery-ui XSS vulnerability
Bugfixes:
* dokuwiki requires php-xml (RHBZ#1061477)
* wrong SELinux file context for writable files/directories (RHBZ#1064524)
* drop httpd requirement (RHBZ#1164396)
Update to the 2014-09-29b release which contains various fixes, notably:
Security:
* CVE-2014-9253 – XSS via SFW file upload
* CVE-2012-6662 – jquery-ui XSS vulnerability
Bugfixes:
* dokuwiki requires php-xml (RHBZ#1061477)
* wrong SELinux file context for writable files/directories (RHBZ#1064524)
* drop httpd requirement (RHBZ#1164396)
This update adds dokuwiki package to EPEL7

Resolved Bugs
1198794 – CVE-2015-2206 phpMyAdmin: Risk of BREACH attack due to reflected parameter (PMASA-2015-1)
1199195 – CVE-2015-2206 phpMyAdmin: Risk of BREACH attack due to reflected parameter (PMASA-2015-1) [fedora-all]<br
phpMyAdmin 4.3.11.1 (2015-03-04)
================================
– [security] Risk of BREACH attack, see PMASA-2015-1

Resolved Bugs
1126719 – librsync: rsync: checksum collisions leading to a denial of service [epel-all]
1126712 – CVE-2014-8242 librsync: MD4 collision file corruption<br
Changes in librsync 1.0.0 (2015-01-23)
======================================
* SECURITY: CVE-2014-8242: librsync previously used a truncated MD4 “strong” check sum to match blocks. However, MD4 is not cryptographically strong. It’s possible that an attacker who can control the contents of one part of a file could use it to control other regions of the file, if it’s transferred using librsync/rdiff. For example this might occur in a database, mailbox, or VM image containing some attacker-controlled data. To mitigate this issue, signatures will by default be computed with a 256-bit BLAKE2 hash. Old versions of librsync will complain about a bad magic number when given these signature files. Backward compatibility can be obtained using the new `rdiff sig –hash=md4` option or through specifying the “signature magic” in the API, but this should not be used when either the old or new file contain untrusted data. Deltas generated from those signatures will also use BLAKE2 during generation, but produce output that can be read by old versions. See https://github.com/librsync/librsync/issues/5. Thanks to Michael Samuel for reporting this and offering an initial patch.
* Various build fixes, thanks Timothy Gu.
* Improved rdiff man page from Debian.
* Improved librsync.spec file for building RPMs.
* Fixed bug #1110812 ‘internal error: job made no progress’; on large files.
* Moved hosting to https://github.com/librsync/librsync/
* Travis-CI.org integration test at https://travis-ci.org/librsync/librsync/
* Remove bundled copy of popt; it must be installed separately.
* You can set `$LIBTOOLIZE` before running `autogen.sh`, for example on OS X Homebrew where it is called `glibtoolize`.

Resolved Bugs
1198192 – CVE-2015-2157 putty: failure to scrub private keys from memory after use
1198195 – CVE-2015-2157 putty: failure to scrub private keys from memory after use [epel-all]<br
Fixed an issue when private keys weren’t scrub from memory after use.

Resolved Bugs
1198794 – CVE-2015-2206 phpMyAdmin: Risk of BREACH attack due to reflected parameter (PMASA-2015-1)
1199195 – CVE-2015-2206 phpMyAdmin: Risk of BREACH attack due to reflected parameter (PMASA-2015-1) [fedora-all]<br
phpMyAdmin 4.0.10.9 (2015-03-04)
================================
– [security] Risk of BREACH attack, see PMASA-2015-1